Deleting Temp folder

[Katie]

Hi, please can some one offer some advice?
2 days ago I opened a downloaded quick time movie but it didnt play so when
i clicked the play icon i had lots of pop ups which directed me to a website
which said
THIS WEBSPACE HAS BEEN SUSPENDED DUE TO NON PAYMENT!.
It gave the name of the www. to get the site online. "control dot
streameline dot net" and because I had a web page open at that time now each
time i go to that web page it says the same thing. I know there is nothing
wrong with the real website as I have another pc and it is ok on there. Also
the websites address doesnt change as if it is redirected.
So i have done virus scans, and adaware scans, (I also had my firewall on
and pop up blocker on too) but nothing found anything except for one online
scan which said I had an unknown Trojan in
"C:\Documents and Settings\chrissy\local settings\temp\autorun.exe"
"C:\Documents and Settings\chrissy\local settings\temp\autorungui.dll"
But the online scan wont remove it. So I remembered that on my other pc
Windows ME i could delete the temp contents without causing problems.
However now this laptop is XP and the Temp folder is quite different. In it
i have seen lots of other folders and things that look like they are not
meant to be deleted.
Can I safely delete the Temp folder in XP? I did a search for the files
that the online scan found and my search on my laptop couldnt find it at
all.
Is it possible for me to edit the registry to detach the trojan from this
web site? Can some one tell me how to do that please? I really need access
to the website on this laptop.
Please can any one offer me any help?
Thanks so much in advance.
Chris

 

[lvee]

Temp files are all safe to delete, they are temp. files, after all, designed
for quick access. You will have to re-enter passwords, etc for sites that
you normally have passwords, etc, saved because the following procedure
removes them.
You can delete temp files in a couple of different ways,
This is for I.E.
Start>control panel>internet options>general tab> delete files, delete
cookies.
Also, click My Computer> right click local C: (assuming C is your local
drive) click properties>disk cleanup.

Is it possible for me to edit the registry to detach the trojan from this
web site?

No, you cannot edit the registry of the web site that you are trying to
enter.
You can, however, get a program designed to hunt and destroy Trojans from
your registry.
The Major Geeks have some that you can purchase, and they have freeware
versions.

 

[pcbutts1]

Turn off system restore then Download, install, update and run all of the
following.

CrapCleaner
http://www.pcbutts1.com/downloads/ccsetup123.exe

Ad-Aware
http://www.pcbutts1.com/downloads/aawsepersonal.exe

Spybot search and destroy
http://www.pcbutts1.com/downloads/spybotsd14.exe

Ewido Security Suite Trial version
http://www.pcbutts1.com/downloads/ewidosetup.exe

Microsoft Windows AntiSpyware (Beta1)
http://www.microsoft.com/downloads/...A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

If none of the above fixes the issue then download Hijack this, run it, save
a copy of the log file and cut and paste it back here to this group so that
I can analyze it. Ignore anyone especially the troll Leythos, who will tag
along a nonsense post to this message, who tells you to post it elsewhere. I
need to see it not them.


HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip


The authors of the above programs, with the exception of Microsoft has given
the owner of pcbutts1.com express written permission to redistribute their
software.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Rich Barry]

You can try Bazooka which will give you detailed instructions on how to
remove the trojan.
http://www.kephyr.com/spywarescanner/library/

 

[Leythos]

Turn off system restore then Download, install, update and run all of the
following.

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

Always remember - only download files from Trusted Sites.

These sites are for downloading Anti-Spyware tools, in order that I
would use them myself:

AdAwareSE can be found here:
http://www.lavasoft.de/support/download/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/cleanup/download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.

Accoding to PCBUTTS1
The authors of the above programs, with the exception of Microsoft has given
the owner of pcbutts1.com express written permission to redistribute their
software.

Except he can't prove it and none of them validate his statement.

 

[Katie]

Thanks,
This is one of the very few viruses or adware that i have had on my laptop
in 5 years of using it. Normally I never have problems, but with a quick
time movie i thought it wouldnt be possible to have these problems. I was
wrong, and in future I will be scanning everything. But like I said I have a
good anti virus installed with nearly all of the programs that you have
listed running too, but this one slipped through.
Thanks so much for the links I will try Ewido and crap cleaner (lol).
Thanks for your time taken to reply. I am very grateful to you all.
Chris

 

[anthonyyates]

Does anybody know how to fix this issue.

THIS WEBSPACE HAS BEEN SUSPENDED DUE TO NON PAYMENT

I've started getting the same problem recently when visiting certain
sites.
I've used all the ad/spy ware cleaners mentioned above but none of them
have corrected the problem. I have my Firewall active and I use Norton
AntiVirus 2005 so not sure how I got this problem.

Cheers,

Anthony

 

[pcbutts1]

No it will not. It is safe.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[David Candy]

Rename both files. If you have permissions too you will be allowed to rename but not delete. Then reboot and the name change may fool the program. Then you should be able to delete.

 

[katie]

I appreciate your help, however I have done everything that everyone has
suggested and still this one website will open saying ..
THIS WEBSPACE HAS BEEN SUSPENDED DUE TO NON PAYMENT
I have deleted my temp folder contents, done a system restore, cleaned my
registry, run spyware removal programs, run antivirus programs, and the
things that have been suggested to do in this news group, and not anything
can detect anything wrong, so why am I still having the same problem? I
guess I will reformat at some stage and then it should be ok, but I will do
this as a last resort and for this one little problem with one website I
think I will tolerate it, providing there is really nothing else horrible
lurking on my laptop.
Thanks again for all your help.

 

[David Candy]

Your HJ logs show sus things. Like a HotDate thing. Do you subscribe to a hot date thing.

--
--------------------------------------------------------------------------------------------------
http://webdiary.smh.com.au/archives/_comment/001075.html
=================================================

I have done that and still the same thing happens when I go to the home page
of this particular website. All other areas of the website are ok.
Shall I just give up?

 

[S. Taylor]

When you did your av and spyware , etc. , checks ,
did you also verify the legitamacy of all your running processes?
and check your hosts file for entries that refere that website?

I have done that and still the same thing happens when I go to the home
page of this particular website. All other areas of the website are ok.
Shall I just give up?

 

[S. Taylor]

Some video files can tell certain video players to open 1 or more websites,
including Windows Media Player.
These webpages can then install malicious activex programs that in turn
install
spyware, hijackers, etc.
I've even seen a webpage trick IE 6 into running an HTA file, without asking
me for permission,
which opened several full sized IE windows to try and distract me from the
fact that it was
creating a couple dozen shortcuts and trying to download and run a screen
saver.

While cleaning up the mess, i also discovered, that the site had installed
an activex object that downloaded 2 files, 1 to C:\
and 1 to the system folder. 1 of them would copy and rename the other file
each time i shutdown and make sure a start up entry existed for it.

What it sounds like happened to you, is that the video file opened multiple
to websites, and atleast 1 of them installed a hijacker
that mat be running as a BHO of some sort.

There are very few ways for a program to autorun in windows:
1) Start folder entry
2) Registry Run entries
3) BHO's
4) Virus infected file loads it or is it.
5) It's also possible that entries were added to your hosts file, to
redirect you to a
certain website without altering the address bar.

IF you still have malicious software running you need to verfiy every
running process.
1) Easily checked and verified.
2) You can check these entrie with Spybot Search & Destroy or msconfig.exe
3) You should be able to view most, if not all installed BHO's from IE's
Tools | Internet | Programs Tab | Manage Add-ons Button

5) Spybot can show you the contents of your host file or you can navigate it
in a text editor

Spybot can also show you your installed BHO's and registered ActiveX
objects, Running Processes, and Start Up Items.
I would find each file that loads as a start up item, all BHO's, and ActiveX
objects.. Check filenames that seem odd or out of place.
Right click on each file and select Properties. If it's a system file or
from MS it should have a version Tab with author|company info, description
etc..
This info should give you a clue as to it legitimacy, and I've found that
many authors of malicious software, can't help but use this area
to brag how L33T they are. (please pardon my use of really really lame slang
used by really really really lame persons).

If, after reviewing each loading file, you still don't have an suspicions,
you can usemsconfig.exe, to keep Start Up items from loading,
to try and narrow down the possibilities, by booting with a limited startup
and try to browse the net.

You can also ask here, about any entries (Startup, BHO,ActiveX,Hosts file,
etc.) that you unsure about.